Hi Chris, On Sat, 3 Sep 2022, Christoph Anton Mitterer wrote: > A while ago there was this discussion about security issues with > respect to bare repos embedded in another repo[0][1]. > > > I just wondered what's the status on this? Was that fixed in a way that > one can clone untrusted repos and navigate / use git commands within > them, without any risk… or is it still open? > > Saw proposed patches like: > https://lore.kernel.org/git/pull.1261.git.git.1651861810633.gitgitgadget@xxxxxxxxx/#r As you can see at the corresponding Pull Request, the patch series has been accepted: https://github.com/git/git/pull/1261#issuecomment-1193004345 If you follow the link to the commit (https://github.com/git/git/commit/18bbc795fc52), you will see that it is not yet in any official tagged version (otherwise you would see the list of tags below the branch name). This means that it will be part of the next release. The current timeline for that release can be seen at https://tinyurl.com/gitcal, the projected date for Git v2.38.0 is October 3rd, 2022. Note: The default will still be at `safe.bareRepository = all`. I foresee myself setting this to `explicit` via my user-wide configuration. Potentially a future Git version will add deprecation warnings and an even more distant Git version might switch the default. This is still up for discussion, I believe. Ciao, Johannes
